Bug 13931

Summary: perl-XML-DT new security issue CVE-2014-5260
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jquelin, mageia, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/614049/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: perl-XML-DT-0.620.0-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2014-08-18 20:45:47 CEST 
A CVE was assigned for an insecure temporary file issue in perl-XML-DT:
http://openwall.com/lists/oss-security/2014/08/15/8

The issue is fixed upstream in 0.66.

Mageia 4 also has the issue, but tmpfile issues aren't a real security problem on newer kernels.

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-18 20:49:41 CEST

CC: (none) => mageia

Comment 1 Jerome Quelin 2014-09-26 10:38:34 CEST 
Updated to 0.66 since there are no new deps.
New packages available in core/updates_testing:
- perl-XML-DT-0.660.0-1.mga3
- perl-XML-DT-0.660.0-1.mga4

Please test & push
Advisory:
========================================
The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_xml_##### temporary file.
This new perl-XML-DT package fixes the problem.
========================================

thanks.

CC: (none) => jquelin
Assignee: jquelin => qa-bugs

Comment 2 claire robinson 2014-09-26 13:14:20 CEST 
Added deps are not a problem now Jerome, TBWNWDNM was resolved in mga3 \o/
Comment 3 David Walser 2014-09-26 14:40:59 CEST 
Advisory:
========================

Updated perl-XML-DT package fixes security vulnerability:

The mkxmltype and mkdtskel scripts provided in perl-XML-DT allow local users
to overwrite arbitrary files via a symlink attack on a /tmp/_xml_#####
temporary file (CVE-2014-5260).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5260
http://openwall.com/lists/oss-security/2014/08/15/8

Version: 3 => 4
Whiteboard: (none) => MGA3TOO

Comment 4 claire robinson 2014-09-26 15:51:13 CEST 
Testing complete mga3 32

Involves file naming with /usr/bin/mkxmltype and /usr/bin/mkdtskel
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756566

Before
------
$ grep tmp /usr/bin/mkdtskel
      system("head -$lines $filename | xmllint --recover - > /tmp/_xml_$$");
      $filename = "/tmp/_xml_$$";
   unlink("/tmp/_xml_$$") if $lines;

$ grep tmp /usr/bin/mkxmltype 
      system("head -$lines $fname | xmllint --recover - > /tmp/_xml_$$");
      $fname = "/tmp/_xml_$$";
    unlink("/tmp/_xml_$$") if $lines;

After
-----
$ grep tmp /usr/bin/mkdtskel
        my $tmpfile = File::Temp->new( UNLINK => 0 )->filename;
        system("head -$lines $filename | xmllint --recover - > $tmpfile");
        $filename = $tmpfile;
$ grep tmp /usr/bin/mkxmltype 
      my $tmpfile = File::Temp->new( UNLINK => 0 )->filename;
      system("head -$lines $fname | xmllint --recover - > $tmpfile");
      $fname = $tmpfile;


Testing functionality with random xml file...
$ cat testdata.xml 
<?xml version="1.0" encoding="UTF-8"?>
<testsuites tests="10" failures="0" disabled="0" errors="0" time="0.001" name="AllTests">
  <testsuite name="TestOne" tests="5" failures="0" disabled="0" errors="0" time="0.001">
    <testcase name="DefaultConstructor" status="run" time="0" classname="TestOne" />
    <testcase name="DefaultDestructor" status="run" time="0" classname="TestOne" />
    <testcase name="VHDL_EMIT_Passthrough" status="run" time="0" classname="TestOne" />
    <testcase name="VHDL_BUILD_Passthrough" status="Tested OK" time="0" classname="TestOne" />
    <testcase name="VHDL_SIMULATE_Passthrough" status="run" time="0.001" classname="TestOne" />
</testsuite>
</testsuites>


$ mkdtskel testdata.xml 
#!/usr/bin/perl
use XML::DT;
use warnings;
use strict;
my $filename = shift;

# Variable Reference
#
# $c - contents after child processing
# $q - element name (tag)
# %v - hash of attributes

my %handler=(
#    '-outputenc' => 'ISO-8859-1',
#    '-default'   => sub{"<$q>$c</$q>"},
     'testcase' => sub{ }, # 5 occurrences; attributes: status, time, name, classname
     'testsuite' => sub{ }, # 1 occurrences; attributes: failures, disabled, errors, tests, time, name
     'testsuites' => sub{ }, # 1 occurrences; attributes: failures, disabled, errors, tests, time, name
);
print dt($filename, %handler);


$ mkxmltype testdata.xml 
# testsuites ...Fri Sep 26 14:49:09 2014
testsuites 	=>  testsuite * failures * disabled * errors * tests * time * name
testsuite 	=>  seq(testcase) * failures * disabled * errors * tests * time * name
testcase 	=>  empty * status * time * name * classname

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok

Comment 5 claire robinson 2014-09-26 15:52:20 CEST 
*/tmp file naming
Comment 6 claire robinson 2014-09-26 16:00:56 CEST 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 7 claire robinson 2014-09-26 16:35:08 CEST 
Testing complete mga4 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 8 claire robinson 2014-09-26 17:01:41 CEST 
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 9 claire robinson 2014-09-26 17:41:41 CEST 
Validating. Advisory from comment 3 uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Mageia Robot 2014-09-26 17:55:28 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0390.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-09-30 21:04:19 CEST

URL: (none) => http://lwn.net/Vulnerabilities/614049/